Targeted, Persistent Spyware called Pegasus

A powerful mobile cyber espionage tool has just been identified and caught in the real world, outside of movies and security firm labs. And while we are dispelling myths, note that this exploit operates on Apple’s iOS, the “more secure” mobile operating system.

Your smartphone is the best surveillance and infiltration tool ever created. Smartphones have microphones, cameras and GPS, are used for every kind of communication, both personal and official, and are always on and always connected. A cybercriminal who can gain deep enough control of your phone can spy on you in every way 24/7, exposing you and any company or organization you are affiliated with to extortion or worse – at least in theory.

Today, again, we move from theory to reality. Foreign governments are really using smartphones to spy on high-profile individuals right now, using a product called Pegasus from the cyber offensive company NSO out of Israel. As with any weapon, there will inevitably be a debate about whether there should be greater regulation of such cyber warfare tools. But right now, people need to know how to protect themselves from it.

The short answer is that anyone with an Apple mobile device should immediately upgrade to iOS version 9.3.5, just released by Apple to address this threat. The longer answer is that there will be more tools like Pegasus, but there are things you can do to protect yourself.

What is Pegasus and how does it work?

First, let’s understand how Pegasus works and what it does. Pegasus exploits a combination of three vulnerabilities, referred to as Trident, that together provide persistent and unlimited access to all activity on the device. Code analysis indicates the original version was written for iOS 7, so this has been around for a couple of years. The first vulnerability gives the attacker low-level privileges, but requires the next two to gain Kernel access. The second vulnerability leaks information about Kernel configuration that makes it possible to inject malicious code into a specific location. The third vulnerability enables the attacker to gain persistent Kernel access. This can all be accomplished without the victim knowing the device is compromised.

The attacker now has access to low-level privileges through the Safari process.

iOS uses technology called kASLR, randomly locating Kernel code to make exploits harder. CVE-2016-4655 is a vulnerability that leaks pointers from the Kernel, allowing the attacker to bypass kASLR protections.

The last vulnerability (CVE-2016-4656) allows the attacker to escalate their privileges to Kernel level and cause the spyware to be persistent on the device.

This means that all it takes is clicking on a link and the device is owned by the attacker without the victim being aware anything at all has happened. The attacker may now monitor every activity, location and all communications on the compromised device.

This exploit could also be accomplished through a Man-in-the-Middle or Captive network attack, where the attacker is using content manipulation and the victim does not even need to click on a link.

How to protect yourself from Pegasus and other similar threats

There is no sure way to avoid all threats, but there are things you can do to minimize your risk:

Always be sure your device is running the latest version of iOS. For Pegasus, please upgrade to iOS 9.3.5.

Never click on links unless you trust the person who sent it to you and you know the destination of the URL.

Use a Mobile Threat Defense solution on all mobile devices – for protection and visibility of risks.

Skycure Mobile Threat Defense notifies its users of the availability of security updates the moment they are available, even if the notice from Apple will come days later. In the case of iOS 9.3.5, which patches the Trident vulnerabilities, Skycure users were notified to update before Apple issued an alert.

Visibility of risks is critically important to keeping your mobile devices safe. Although no security solution currently can prevent a successful Pegasus infection, Skycure will prevent the infection from doing harm by detecting the impact of such exploits in real-time, such as jailbreaking of the device and patching existing legitimate apps. In fact – and this is the most important thing of all – Skycure is the only solution that protected devices from the effects of Pegasus and the Trident vulnerabilities even before they were disclosed. Furthermore, Skycure will continue to protect devices and organizations from the harmful impact of Pegasus and the NEXT undisclosed threat, without the need to make any changes to the solution.

Brian has been a thought leader and respected advisor in enterprise IT for over 15 years. With experience in engineering, product management, marketing, business strategy and technology evangelism, he has held executive-level positions at business- and consumer-facing companies, both large and small, and has multiple degrees in engineering and technology management. Brian has spent the last seven years focused on enterprise mobility, with a focus on achieving both productivity and security.